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Abstract. The model checking problem for open systems has been widely studied in 
the literature, for both finite-state {module checking) and infinite-state [pushdown module 
checking) systems, with respect to CTL and CTL* . In this paper, we further investigate 
this problem with respect to the /i-calculus enriched with nominals and graded modalities 
(hybrid graded ^-calculus), in both the finite-state and infinite-state settings. Using an 
automata-theoretic approach, we show that hybrid graded ^-calculus module checking is 
solvable in exponential time, while hybrid graded ^-calculus pushdown module checking is 
solvable in double-exponential time. These results are also tight since they match the 
known lower bounds for CTL. We also investigate the module checking problem with 
respect to the hybrid graded /i-calculus enriched with inverse programs [Fully enriched 
^-calculus): by showing a reduction from the tiling problem, we show its undecidability. 
We conclude with a short overview of the model checking problem for the Fully enriched 
/i-calculus and the fragments obtained by dropping at least one of the additional constructs. 



1. Introduction 

Model- checking is a formal method, applied in system design, to automatically verify 
the ongoing behavior of reactive systems ( |CE8H QS81| ). In this verification technique the 



behavior of a system, formally described by a mathematical model, is checked against a 
behavioral constraint, usually specified by a formula in an appropriate temporal logic (for 
a survey, see |CGP99] ). 

In the process of modeling a system, we distinguish between closed and open sys- 
tems |HP85j . While the behavior of a closed system is completely determined by the state 
of the system, the behavior of an open system depends on the ongoing interaction with 
its environment |Hoa85] . In model checking open systems, introduced and called module- 
checking in j KVWOl] . one should check the system with respect to arbitrary environments 
and should take into account uncertainty regarding the environment. In such a framework, 
the open finite-state system is described by a labeled state-transition graph, called in fact 
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module, whose set of states is partitioned into system states (where the system makes a 
transition) and environment states (where the environment makes a transition). Given a 
module A4, describing the system to be verified, and a temporal logic formula specifying 
the desired behavior of the system, module checking asks whether for all possible environ- 
ments, M satisfies (p. Therefore, in module checking it is not sufficient to check whether 
the full computation tree obtained by unwinding Ai (that corresponds to the interaction 
of A4 with a maximal environment) satisfies but it is also necessary to verify that all 
trees obtained from the full computation tree by pruning some subtrees rooted in nodes 
corresponding to choices disabled by the environment (those trees represent the interac- 
tions of A4 with all the possible environments), satisfy ip. We collect all such trees in a set 
named exec{A4). It is worth noticing that each tree in exec{A4) represents a "memoryful" 
behavior of the environment. Indeed, the unwinding of a module A4 induces duplication of 
nodes, which allow different pruning of subtrees. To see an example, consider a two-drink 
dispenser machine that serves, upon customer request, tea or coffee. The machine is an 
open system and an environment for the system is an infinite line of thirsty people. Since 
each person in the line can prefer both tea and coffee, or only tea, or only coffee, each person 
suggests a different disabling of the external choices. Accordingly, there are many different 
possible environments to consider. In [KV97t IKVWOl] . it has been shown that while for 
linear-time logics model and module checking coincide, module checking for specification 
given in CTL and CTL* is exponentially harder than model checking in the size of the for- 
mula and preserves the linearity in the size of the model. Indeed, CTL and CTL* module 
checking is ExPTiME-complete and 2ExPTiME-complete, respectively. 

In [BMPOS i IAMV07] , the module checking technique has been extended to infinite-state 
systems by considering open pushdown systems {OPD, for short). These are pushdown sys- 
tems augmented with finite information that allows us to partition the set of configurations 
into system and environment configurations. To see an example of an open pushdown sys- 
tem, consider the above two-drink dispenser machine, with the additional constraint that a 
coffee can be served only if the number of coffees served up to that time is smaller than that 
of teas served. Such a machine can be clearly modeled as an open pushdown system (the 
stack is used to guarantee the inequality between served coffees and teas). In |BMP05j . 
it has been shown that pushdown module checking is 2ExPTiME-complete for CTL and 
SExPTlME-complete for CTL* . Thus, for pushdown systems, and for specification given in 
CTL and CTL* , module checking is exponentially harder than model checking with respect 
to the size of the formula, while it preserves the exponential complexity with respect to the 
size of the model j Wal96[ IWalOO]. 

Among the various formalisms used for specifying properties, a valid candidate is the 
fi-calculus, a very powerful propositional modal logic augmented with least and greatest 
fixpoint operators |Koz83| (for a recent survey, see also |BS06| ). The Fully enriched fi- 
calculus jBP04| is the extension of the //-calculus with inverse programs, graded modalities, 
and nominals. Intuitively, inverse programs allow us to travel backwards along accessibility 
relations |Var98j . nominals are propositional variables interpreted as sing leton sets [SVOlj . 
and graded modalities enable statements about the number of successors of a state |KSV02] . 
By dropping at least one of the additional constructs, we get a fragment of the Fully enriched 
//-calculus. In particular, by inhibiting backward modalities we get the fragment we call 
hybrid graded ^-calculus. In [BP 04] . it has been shown that satisfiability is undecidable in 
the Fully enriched ^-calculus. On the other hand, it has been shown in [SVOll IBLMVOG] 
that satisfiability for each of its fragments is decidable and ExPTiME-complete (for more 
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details, see also jBLMVOS] ). The upper bound result is based on an automata-theoretic 
approach via two-way graded alternating parity tree automata ( 2GAPT ), along with the fact 
that each fragment of the Fully enriched //-calculus enjoys the quasi-forest model property. 
Intuitively, 2GAPT generalize alternating automata on infinite trees as inverse programs 
and graded modalities enrich the standard /t-calculus: 2GAPT can move up to a node's 
predecessor and move down to at least n or all hut n successors. Moreover, a quasi- forest is 
a forest where nodes can have roots as successors and having quasi-forest model property 
means that any satisfiable formula has a quasi-forest as model. Using 2GAPT and the 
quasi-forest model property, it has been shown in |SVOH IBLMV06] that given a formula if 
of a fragment of the Fully enriched /x-calculus, it is possible to construct a 2GAPT accepting 
all trees encoding^ quasi-forests modeling ip. Then, the exponential-upper bound follows 
from the fact that the emptiness problem for 2GAPT is solvable in Ptime [KPV02j . 

In this paper, we further investigate the module checking problem and its infinite- 
state extension, with respect to the hybrid graded ^-calculus. To see an example of module 
checking a finite-state open system w.r.t. an hybrid graded //-calculus specification, consider 
again the above two-drink dispenser machine with the following extra feature: whenever a 
customer can choose a drink, he can also call the customer service or the security service. 
Suppose also that by taking one of these two new choices, the drink-dispenser machine 
stops dispensing drinks, up to the moment the customer finishes operating with the service. 
Assume that, for the labeled state-transition graph modeling the system, we label by choose 
the choosing state and by the nominals Oc and Os the states in which the interaction with 
the customer and the security services start, respectively. Moreover, suppose we want to 
check the following property: "whenever the customer comes at a choice, he can choose 
for both the customer and the security services". This property can be formalized by the 
hybrid graded /x-calculus formula ux. {{choose (1, call) {oc V Og)) A [0, —]x), which reads 
"it is always true that whenever the drink-dispenser is in the choose state, there are at 
least 2 call-successors in which (oc V Os) holds". Clearly, the considered open system does 
not satisfy this formula. Indeed, it is not satisfied by the particular behavior that chooses 
always the same service. 

By exploiting an automata-theoretic approach via tree automata, we show that hybrid 
graded /i-calculus module checking is decidable and solvable in Exptime in the size of the 
formula and Ptime in the size of the system. Thus, as in general, we pay an exponential- 
time blowup with respect to the model checking problem (and only w.r.t. the size of the 
formula) for the module checking investigation. In particular, we reduce the addressed mod- 
ule checking problem to the emptiness problem for graded alternating parity tree automata 
{GAPT). In more details, given a model M and an hybrid graded /i-calculus formula ip, we 
first construct in polynomial time a Biichi tree automaton {NET) Am accepting exec{M). 
The construction of Am we propose here extends that used in [KVWOl] by also taking into 
account that A4 must be unwound in a quasi- forest, rather than a tree, with both nodes 
and edges labeled. Thus, the set exec{M.) is a set of quasi-forests, and the automaton 
Am we construct will accept all trees encodings of all quasi-forests of exec{M.). From the 
formula side, accordingly to [BLMVOG] . we can construct in a polynomial time a GAPT 
Ay^ip accepting all models that do not satisfy with the intent to check that none of these 
models are in exec{Ai). Thus, we check that A4 models ip for every possible choice of the 



Encoding is done by using a new root node that connects all roots of the quasi-forest and new atomic 
propositions which are used to encode programs and successor nodes corresponding to nominals. 
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environment by checking whether the C{Am) n ^(-4,^^) is empty. The results follow from 
the fact that an NBT is a particular case of GAPT, which are closed under intersection 
and have the emptiness problem solvable in Exptime [BLMVOH] . We also show a lower 
bound matching the obtained upper bound by using a reduction from the module checking 
for CTL, known to be ExPTiME-hard. 

By exploiting again an automata-theoretic approach, we show that hybrid graded n- 
calculus pushdown module checking is decidable and solvable in 2Exptime in the size of 
the formula and Exptime in the size of the system. Thus, as in general, with respect to the 
finite-state model checking case we pay an exponential-time blowup in the size of both the 
system and the formula for the use of pushdown systems, and an another exponential-time 
blowup in the size of the formula for the module checking investigation. Our approach 
allow us do not take the trivial 2Exptime result on both the size of the system and the 
formula, which can be easily obtained by combining the algorithms existing in the literature 
along with that one we introduce in this paper for the finite-state case. We solve the 
hybrid graded /U-calculus pushdown module checking by using a reduction to the emptiness 
problem for nondeterministic pushdown parity tree automata (PD-NPT). The algorithm 
we propose extends that given for the finite-state case. In particular, given an OPD S, a 
module M induced by the configurations of S, and an hybrid graded /x-calculus formula (p, 
we first construct in polynomial time a pushdown Biichi tree automaton {PD-NBT) Am^ 
accepting exec{M). From the formula side, accordingly to [BLMVOH] . we can construct in 
a polynomial time a GAPT accepting all models that do not satisfy Thus, we can 
check that M. models (/9 for every possible choice of the environment by checking whether 
C{Am) n>C(^^<^) is empty. By showing a non-trivial exponential reduction of 2 GAPT into 
NPT, we show a 2Exptime upper bound for the addressed problem. Since the pushdown 
module checking problem for CTL is 2ExPTiME-hard, we get that the addressed problem 
is then 2ExPTiME-complete. 

As regarding the Fully enriched ;U-calculus, we also investigate the module checking 
problem in a "rewind" framework in the following sense. As far as backward modalities 
concern, everytime the system goes back to an environment's node, he is always able to 
redefine a new pruning choice. Given a module A4 and a Fully enriched //-calculus formula (p, 
we solve the rewind module checking problem by checking that all trees in exec{M), always 
taking the same choice in duplicate environment nodes, satisfy (p. By showing a reduction 
from the tiling problem [Ber66j . we show that the addressed problem is undecidable. 

We conclude the paper with short considerations on the model checking on all of the 
fragments of the Fully enriched /i-calculus. In particular we show the problem to be Exp- 
TiME-complete for a pushdown system which is allowed to push one symbol per time onto 
the stack, with respect to any fragment not including the graded modality: for the fragments 
with the graded modality, we show a 2Exptime upper bound. 

The rest of the paper is organized as follows. In Section [21 we give all the necessary 
preliminaries, Section [3] contains the definition of module checking w.r.t. hybrid graded 
//-calculus, and Section d] contains definitions and known results about 2GAPT and PD- 
NPT. In Sections [5] and [U we give our main results on module checking for the hybrid 
graded //-calculus. In Section [TJ we show the undecidability result for the Fully enriched 
module checking and conclude in Section [8] with some complexity considerations on model 
checking with all the fragments of the Fully enriched //-calculus. 
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2. Preliminaries 

In this section, we recall definitions of labeled forests and hybrid graded ^-calculus. 
We refer to |BLMVd6] for more technical definitions and motivating examples. 

2.1. Labeled Forests. For a finite set X, we denote the size of X by \X\, the set of words 
over X by X*, the empty word by e, and with X^ we denote X* \ {e}. Given a word w in 
X* and a symbol a of X, we use w ■ a io denote the word wa. Let IN be the set of positive 
integers. For n G IM, let N denote the set {1,2,..., n}. A forest is a set F C N+ such that 
if x • c G -F, where x G N"*" and c G N, then also x G -F. The elements of F are called nodes, 
and words consisting of a single natural number are roots of F. For each root r F, the set 
T = {r • X I X G N* and r ■ x (z F} is a tree of F (the tree rooted at r). For x G F, the nodes 
x-c G F where c G N are the successors of x, denoted sc(x), and x is their predecessor. The 
number of successors of a node x is called the degree of x {deg{x)). The degree /i of a forest 
F is the maximum of the degrees of all nodes in F and the number of roots. A forest with 
degree h is an h-ary forest. A full /i-ary forest is a forest having h roots and all nodes with 
degree h. 

Let F C be a forest, x a node in F, and c G N. As a convention, we take x-e = e-x = 
X, (x • c) • —1 = X, and c • —1 as undefined. We call x a /ea/ if it has no successors. A path vr 
in F is a word vr = xiX2 ... of F such that xi is a root of F and for every Xj G vr, either Xj 
is a leaf (i.e., vr ends in Xj) or Xj is a predecessor of Xj+i. Given two alphabets Si and S2, 
a (El, E2)~labeled forest is a triple {F,V,E), where F is a forest, F : F — > Si maps each 
node of F to a letter in Si, and F : F x F — s- S2 is a partial function that maps each pair 
(x,y), with y G sc(x), to a letter in S2. As a particular case, we consider a forest without 
labels on edges as a Si-labeled forest (F, V), and a tree as a forest containing exactly one 
tree. A quasi-forest is a forest where each node may also have roots as successors. For a 
node X of a quasi-forest, we set children{x) as sc(x) \N. All the other definitions regarding 
forests easily extend to quasi-forests. Notice that in a quasi-forest, since each node can 
have a root as successor, a root can also have several predecessors, while every other node 
has just one. Clearly, a quasi-forest can always be transformed into a forest by removing 
root successors. 

2.2. Hybrid Graded /z— Calculus. Let AP, Var, Prog, and Nom be finite and pairwise 
disjoint sets of atomic propositions, propositional variables, atomic programs (which allow to 
travel the system along accessibility relations), and nominals (which are particular atomic 
propositions interpreted as singleton sets). The set of hybrid graded ^-calculus formulas is 
the smallest set such that 

• true and false are formulas; 

• p and -ip, for p G AP, are formulas; 

• o and -lO, for G Nom, are formulas; 

• X G Var is a formula; 

• if (fi and ip2 are formulas, a G Prog, n is a non negative integer, and y G Var, then the 
following are also formulas: 

ipi y ip2,^i ^^p2,{n,a)ipl,[n,a]ipl, /xy.(^i(y), and vy.Lpi{y). 

Observe that we use positive normal form, i.e., negation is applied only to atomic 
propositions. 
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We call jjL and u fixpoint operators. A prepositional variable y occurs free in a formula 
if it is not in the scope of a fixpoint operator. A sentence is a formula that contains no 
free variables. We refer often to the graded modalities {n,a)ipi and [n,a](/?i as respectively 
atleast formulas and allbut formulas and assume that the integers in these operators are 
given in binary coding: the contribution of n to the length of the formulas {n,a)(p and 
[ra, is [logn] rather than n. 

The semantics of the hybrid graded /i-calculus is defined with respect to a Kripke 
structure, i.e., a tuple /C = {W, Wq, R, L) where W is a non-empty set of states, Wq C is 
the set of initial states, R : Prog — >■ 2^^^ is a function that assigns to each atomic program 
a transition relation over W , and L : APU Nom 2^ is a labeling function that assigns to 
each atomic proposition and nominal a set of states such that the sets assigned to nominals 
are singletons and subsets of Wq. If {w, w') G R{a), we say that w' is an a-successor of w. 
Informally, an atleast formula (n, a) 99 holds at a state if of /C if 99 holds in at least n + 1 
a-successors of w. Dually, the allbut formula [n, a]^? holds in a state w of /C if 99 holds 
in all but at most n a-successors of w. Note that -^{n,a)ip is equivalent to [n, «]-■</?, and 
the modalities {a)ip and [a]ip of the standard /it-calculus can be expressed as {0,a)ip and 
[0, a](/9, respectively. 

To formalize semantics, we introduce valuations. Given a Kripke structure )C = {W, 
Wq, R, L) and a set {yi, . . . , y„} of variables in Var, a valuation V : {yi, . . . , yn} — > 2^ is an 
assignment of subsets of W to the variables yi, . . . , yn- For a valuation V, a variable y, and 
a set W ^W, we denote by V[y ^ W] the valuation obtained from V by assigning W' to 
y. A formula (p with free variables among yi, . . . , y„ is interpreted over /C as a mapping (p'^ 
from valuations to 2^, i.e., (^^(V) denotes the set of points that satisfy (p under valuation 
V. The mapping (p^ is defined inductively as follows: 

• true'^(V) = W and false'^(V) = 0; 

• for p G AP U Nom, we have p'^iV) = L{p) and (-p)'^(V) = W\ L{p)- 

• for y G Var, we have ^'^(V) = V(y); 

• (9^1 A (p2)^(V) = (^f (V) n (^^(V) and V ip2)'^{V) = (^f (V) U (^f (V); 

• ((n, a)<p)'^{V) = {w : \{u/ eW -.{w, w') G R{a) and w' G (p'^{V)}\ > n + 1}; 

• ([n,a]<^)^(V) = {w : \{w' G W : {w,w') G R{a) and w' ip'^{V)}\ < n}; 

• {^iy.ip{y))''{V) = f]{W' C W : ip>^{[y ^ W']) C W'}; 
. {uy.ip{y))\V) = [J{W' CW:W'C (^'^([y ^ W'])}. 

For a state it? of a Kripke structure /C, we say that /C satisfies ipatwifw£ ip^ . In what 
follows, a formula <y9 counts up to 6 if the maximal integer in atleast and allbut formulas 
used in is 6 — 1. 

3. Hybrid graded /x-calculus module Checking 

In this paper we consider open systems, i.e., systems that interact with their envi- 
ronment and whose behavior depends on this interaction. The (global) behavior of such 
a system is described by a module M. = (Ws,We,Wo,R,L), which is a Kripke structure 
where the set of states W = Wg U We is partitioned in system states Wg and environment 
states We- 

Given a module M., we assume that its states are ordered and the number of successors 
of each state w is finite. For each w G W, we denote by succ{w) the ordered tuple (possibly 
empty) of lu's a-successors, for all a G Prog. When is in a system state Wg, then all 
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states in succ{ws) are possible next states. On the other hand, when M is in an environment 
state We, the possible next states (that are in succ{we)) depend on the current environment. 
Since the behavior of the environment is not predictable, we have to consider all the possible 
sub-tuples of succ{we). The only constraint, since we consider environments that cannot 
block the system, is that not all the transitions from We are disabled. 

The set of all (maximal) computations of M, starting from Wq, is described by a 
(VF, Pro(7)-labeled quasi-forest {F_m,Vm, Em), called computation quasi-forest, which is 
obtained by unwinding Ai in the usual way. The problem of deciding, for a given branching- 
time formula (p over AP U Nom, whether (-Fm, L o Vm,E_m) satisfies (/9 at a root node, de- 
noted A1 1= is the usual model- checking problem [CE8H QS81| . On the other hand, for 
an open system M., the quasi-forest (Fa/(, Vm-, Em) corresponds to a very specific environ- 
ment, i.e., a maximal environment that never restricts the set of its next states. Therefore, 
when we examine a branching-time formula (p w.r.t. A^, the formula (p should hold not 
only in {Fm , Vm i Em ) , but in all quasi- forests obtained by pruning from {Fm , Vm , Em ) 
subtrees rooted at children of environment nodes, as well as inhibiting some of their jumps 
to roots (that is, successor nodes labeled with nominals), if there are any. The set of 
these quasi-forests, which collects all possible behaviors of the environment, is denoted by 
exec{A4) and is formally defined as follows. A quasi-forest {F,V,E) G exec{M.) iff 

• for each Wi G Wq, we have V{i) = Wi] 

• for each x £ F, with V{x) = w, succ{w) = {wi, . . . , Wn, Wn+i, ■ ■ ■ , Wn+m), and succ{w) fl 
Wo = (u;„+i, . . . , Wn+m)-, there exists S = {w'^, . . . , w'p, -Wp+i, • • • , w'p^g) sub-tuple of 
succ{w) such that p + q > 1 and the following hold: 

— S = succ{w) if w G Ws] 

— children{x) = {x ■ 1, . . . ,x ■ p} and, for 1 < j < p, we have V{x ■ j) = Wj and 
E{x, X ■ j) = a i( {w, Wj) G R{a); 

— for 1 < j < q, let Xj G N such that V{xj) = w'p^j, then E{x,Xj) = a if {w,w'p^j) G 
R{a). 

In the following, we consider quasi-forests in exec{A4) as labeled with {2"^^^'^°"^, Prog), 
i.e., taking the label of a node x as L(V{x)). For a module M and a formula (p of the 
hybrid graded /x-calculus, we say that Ai reactively satisfies ip, denoted Ai \=r ^ (where 
"r" stands for reactively), if all quasi-forests in exec{Ai) satisfy <p. The problem of deciding 
whether A4 \=r ^ is called hybrid graded ^-calculus module checking. 



3.1. Open Pushdown Systems (OPD). An OPD over AP, Nom and Prog is a tuple 
S = {Q, r, b, Co, A, pi,p2, Env), where Q is a finite set of (control) states, F is a finite stack 
alphabet, b T is the stack bottom symbol. We set Ti, = T U {b}, Conf = Q x (T* • b) 
to be the set of (pushdown) configurations, and for each configuration {q,A -7), we set 
top{{q,A ■ 7)) = {q,A) to be a top configuration. The function A : Prog —* 2('3^'"^)^('3^'"b) 
is a finite set of transition rules such that b is always present at the bottom of the stack 
and nowhere else (thus whenever b is read, it is pushed back). Note that we make this 
assumption also about the various pushdown automata we use later. The set Co C Conf 
is a finite set of initial configurations, pi : AP — > 2'^^'"^ and p2 '■ Nom Cq are labeling 
functions associating respectively to each atomic proposition p a set of top configurations in 
which p holds and to each nominal exactly one initial configuration. Finally, Env C Q x F|, 
specifies the set of environment configurations. The size 151 of S is \Q\ |A| -|- [F|. 
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The OPD moves in accordance with the transition relation A. Thus, {{q,A), {q' ,^)) € 
A (a) imphes that if the OPD is in state q and the top of the stack is A, it can move 
along with an a-transition to state q' , and substitute 7 for A. Also note that the possible 
operations of the system, the labeling functions, and the designation of configurations as 
environment configurations, are all dependent only on the current control state and the top 
of the stack. 

An OPD S induces a module Ms = {Wg, We,Wo, R, L), where: 

• Ws U We = Conf, i.e. the set of pushdown configurations, and Wq = Cq; 

• We = {c e Conf I top{c) G Env}. 

. ((g,A.7),(g',7'-7)) i# there is ((5, ^), (g', 7')) e A(a); 

• L{p) = {c € Conf I top{c) G Pi{p)} for p G AP; L{o) = ^2(0) for o G Nom. 

The hybrid graded (^-calculus) pushdown module checking problem is to decide, for a given 
OPD S and an enriched /U-calculus formula whether M.s \=r ^■ 

4. Tree Automata 

4.1. Two-way Graded Alternating Parity Tree Automata {2GAPT). These au- 
tomata have been introduced and deeply investigated in [BLMV06;. In this section we just 
recall the main definitions and results and refer to the literature for more details. Intu- 
itively, 20 APT are an extension of nondeterministic tree automata in such a way that a 
20 APT can send several copies of itself to the same successor [alternating], send copies 
of itself to the predecessor (two-way), specify a number n of successors to which copies of 
itself are sent (graded), and accept trees along with a parity acceptance condition. To give 
a more formal definition, let us recall some technicalities from | BLMVd6] . 

For a given set Y, let B~^(Y) be the set of positive Boolean formulas over Y (i.e.. Boolean 
formulas built from elements in Y using A and V), where we also allow the formulas true 
and false and A has precedence over V. For a set X Q Y and a formula 9 G B~^(Y), we 
say that X satisfies 6 iff assigning true to elements in X and assigning false to elements 
in y \ X makes 6 true. For 6 > 0, let {[b]) = {(0), (1), . . . , (b)}, [[b]] = {[0], [1], . . . , [b]}, 
and Dh = {[b]) U [[b]] U {—l,e}. Intuitively, Db collects all possible directions in which the 
automaton can proceed. 

Formally, a 20 APT on S-labeled trees is a tuple A = (S, b, Q, 5, qo, J-), where S is the 
input alphabet, 6 > is a counting bound, Q is a finite set of states, 5 : QyiTj —> B^(Dh x Q) 
is a transition function, qo Q is an initial state, and ^ is a parity acceptance condition 
(see below). Intuitively, an atom ({n),q) (resp. (HjQ')) means that A sends copies in state 
q to n + 1 (resp. all but n) different successors of the current node, (e, q) means that A 
sends a copy (in state q) to the current node, and (—l,q) means that A sends a copy to 
the predecessor of the current node. A run of A on an input S-labeled tree (T, V) is a 
tree {Tr,r) in which each node is labeled by an element of T x Q. Intuitively, a node in 
Tr labeled by (x, q) describes a copy of the automaton in state q that reads the node x of 
T. Runs start in the initial state and satisfy the transition relation. Thus, a run {Tr,r) 
with root z has to satisfy the following: (i) r(z) = (1, qo) for the root 1 of T and (ii) for all 
y G Tr with r(y) = (x,q) and d(q,V(x)) = 9, there is a (possibly empty) set S C. Di, x Q, 
such that S satisfies 6, and for all (d, s) G S, the following hold: 

• If (i G {— 1, e}, then x ■ d is defined, and there is j G N such that y ■ j GTr and r(y ■ j) = 

(x ■ d,sy. 
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• If d = (n), there are at least n + 1 distinct indexes ii, . . . , in+i such that for all 1 < j < 
n + 1, there is j' G N such that y • j' & Tr, x ■ ij G T, and r{y ■ j') = {x ■ ij, s). 

• If d = [n], there are at least deg{x) — n distinct indexes ii, . . . ,ideg{x)-n such that for all 
1 < J < deg{x) — n, there is j' G N such that y ■ j' G Tr, x-ij € T, and r{y ■ j') = (x ■ ij, s). 

Note that if 9 = true, then y does not need to have successors. This is the reason why 
Tr may have leaves. Also, since there exists no set S as required for 9 = false, we cannot 
have a run that takes a transition with 9 = false. 

A run {Tr,r) is accepting if all its infinite paths satisfy the acceptance condition. In 
the parity acceptance condition, ^ is a set {Fi, . . . , F^} such that Fi C . . . C = Q and 
k is called the index of the automaton. An infinite path vr on T,. satisfies T if there is an 
even i such that vr contains infinitely many states from Fi and finitely many states from 
-Fj-i. An automaton accepts a tree iff there exists an accepting run of the automaton on 
the tree. We denote by H{^A) the set of all S-labeled trees that A accepts. The emptiness 
problem for an automaton V is to decide whether -^(T') = 0. 

A 2GAPT is a GAPT (i.e., ''one-way") if 6 : Q x T. ^ B+{Db \ {-1} x Q) and a 
2APT (i.e., ''non- graded'') if 5 : Q x E ^ i?+({— 1, e,l, . . . ,h} x Q). As a particular case of 
2 APT, we also consider nondeterministic parity tree automata {NPT) [KVWOO] . Formally, 
an NPT on S-labeled trees is a tuple A = (S, D, Q, 5, qq, T), where Ti,Q,qQ, and !F are 
as in 2APT, D is a finite set of branching degree and 6 : Q x T, x D 2^ is a transition 
function satisfying 6{q,a,d) C Q'^, for each q € Q, a £ Tj, and d £ D. Finally, we also 
consider Biichi acceptance condition Q Q, which simply is a special parity condition 
{0, .7^,(5}. Thus, we use in the following the acronym NBT to denote nondeterministic 
Biichi tree automata on S-labeled trees. 

The following results on 2GAPT will be useful in the rest of the paper. 

Theorem 1. [BLMVOG] The emptiness problem for a GAPT A = (S, h, Q, 6, qo,^) can be 
solved in time linear in the size of S and b, and exponential in the index of the automaton 
and number of states. 

Lemma 1. |BLMV06] Given two GAPT Ai and A2, there exists a GAPT A such that 
C{A) = C{Ai) n £(^2) and whose size is linear in the size of Ai and A2. 

We now recall a result on GAPT and hybrid graded /^-calculus formulas. 

Lemma 2 ( |BLMV06j ). Given an hybrid graded ^-calculus sentence ip with £ atleast sub- 
sentences and counting up to b, it is possible to construct a GAPT with 0{\<f'\^) states, 
index \tp\, and counting bound b that accepts exactly each tree that encodes a quasi-forest 
model of (p. 

4.2. Nondeterministic Pushdown Parity Tree Automata (P£) iVPT). A PD-NPT 
(without e-transitions), on S-labeled full /i-ary trees, is a tuple V = (S, F, b, Q, 70) •^)) 
where S is a finite input alphabet, F, b, Fj,, and Q are as in OPD, {qo,^o) is the initial 
configuration, p : Q x S x Fi, — > 2^'^^'^^^ is a transition function, and is a parity 
acceptance condition over Q. Intuitively, when V is in state q, reading an input node x 
labeled by cr G S, and the stack contains a word ^ • 7 G F* • b, then V chooses a tuple 
((gi, 71), . . . , (g/i, G p{q,a,A) and splits in h copies such that for each 1 < i < h, a 
copy in configuration (qi, ji ■ 7) is sent to the node x • i in the input tree. A run of "P on a 
S-labeled full h-ary tree (T, V) is a (Q x F* • b)-labeled tree (T, r) such that 
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• r(e) = {qo,^o), and 

• for each x £ T with r(x) = {q,A- 7), there is (((J'1,71), • • • , {(lh-,lh)) G V'(a^), ^) such 
that, for all 1 < i < /i, we have r{x ■ i) = (gj, 7i • 7). 

The notion of accepting path is defined with respect to the control states that appear 
infinitely often in the path (thus without taking into account any stack content). Then, the 
notions given for 2GAPT regarding accepting runs, accepted trees, and accepted languages, 
along with the parity acceptance condition, easily extend to PD-NPT. In the following, we 
denote with PD-NBT a PD-NPT with a Biichi condition. We now recall two useful results 
on the introduced automata. 

Proposition 4.1 ( [KPV02] ). The emptiness problem for a PD-NPT on -labeled full h-ary 
trees, having index m, n states, and transition function p, can be solved in time exponential 
in n ■ m ■ h ■ \p\. 

Proposition 4.2 f |BMPn5] ). Given a PD-NBT V = (E, T, Q, go, 7o, P, Q) on T.-labeled 
full h-ary trees, and an NPT A = (S, Q' , q'^, 6, T'), there is a PD~NPT V' on T,-labeled full 
h-ary trees, such that C(V') = CiV) n£(^). Moreover, V' has \Q\ ■ \Q'\ states, the same 
index as A, and the size of the transition relation is bounded by \p\ ■ \5\ ■ h. 

5. Deciding Hybrid Graded /i-CALCULUs Module Checking 

In this section, we solve the module checking problem for the hybrid graded //-calculus. 
In particular, we show that this problem is decidable and ExPTlME-complete. For the upper 
bound, we give an algorithm based on an automata-theoretic approach, by extending an 
idea of jKVWOl] . For the lower bound, we give a reduction from the module checking 
problem for CTL, known to be ExPTiME-hard. We start with the upper bound. 

Let be a module and ip an hybrid graded //-calculus formula. We decide the module 
checking problem for M. against if by building a GAPT Aj^^^tp as the intersection of two 
automata. Essentially, the first automaton, denoted by Am^ is a Biichi automaton that 
accepts trees encoding of labeled quasi-forests of exec{M), and the second automaton is a 
GAPT A^^ that accepts all trees encoding of labeled quasi-forests that do not satisfy ip 
(i.e, is satisfied at all initial nodes). Thus, A4 \=r ip iff C{Aj^y^\^^) is empty. 

The construction of Am proposed here extends that given in [KVWOl] for solving the 
module checking problem for finite-state open systems with respect to GTL and CTL* . The 
extension concerns the handling of forest models instead of trees and formulas of the hybrid 
graded /i-calculus. Before starting, there are a few technical difficulties to be overcome. 
First, we notice that exec{M.) contains quasi-forests, with labels on both edges and nodes, 
while Biichi automata can only accept trees with labels on nodes. This problem is overcome 
by using the following three step transformation 

(1) move the label of each edge to the target node of the edge (formally using a new 
propositional symbol pa, for each atomic program a), 

(2) substitute edges to roots with new propositional symbols |" (which represents an a— 
labeled edge from the current node to the unique root node labeled by the nominal o), 
and 

(3) add a new root, labeled with a new symbol root, and connect it with the old roots of 
the quasi-forest. 
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Let AP' = AP U {pa I a € Prog} U {I" | a S Prog and o S A^om}, we denote with 
(T, y') the (2^^'u^°'^U{root})-labeled tree encoding of a quasi-forest {F, V, E) G exec{M), 
obtained using the above transformation. 

Another technical difficulty to handle is relate to the fact that quasi-forests of exec{M) 
(and thus their encoding) may not share the same structure, since they are obtained by prun- 
ing some subtrees from the computation quasi-forest {F^ , Vm ■, Em ) oi Ai. Let (T^i , ) 
the computation tree of M. obtained from {F_m,Vm, Em) using the above encoding. By 
extending an idea of (KVWOl] . we solve the technical problem by considering each tree 
{T,V'), encoding of a quasi-forest of exec{A4), as a (^2^^^^°"^ U {root, _L})-labeled tree 
(Ta4, V") (where _L is a fresh proposition name not belonging to AP U Nom U {root}) such 
that for each node x € Tm, if x € T then V"{x) = V'{x)^ otherwise V"{x) = {-L}. Thus, 
we label each node pruned in the {Tm^ ^m) with {_L} and recursively, we label with {_L} its 
subtrees. In this way, all trees encoding quasi-forests of exec[M.) have the same structure 
of {Tm ) Vm ) ' they differ only in their labeling. 

Accordingly, we can think of an environment as a strategy for placing {_L} in (Ta/(, V^), 
with the aim of preventing the system to satisfy a desired property while not considering 
the nodes labeled with _L. Moreover, the environment can also disable jumps to roots. This 
is performed by removing from nodes corresponding with environment states some of 
labels. Notice that since we consider environments that do not block the system, each node 
associated with an environment state has at least one successor not labeled by {-L}, unless 
it has to in its label. 

Let us denote by exec{M) the set of all (2^^'^^°™ u {root, ±})-labeled (Tvf, F") trees 
obtained from {F,V,E) G exec{M) in the above described manner. The required NBT 
Am must accept all and only the (2^^'^^°™- u {root , _L})-labeled trees in exec{M). The 
automaton Am = D,Q,6,qo,J^) is defined for a module M. = {Ws,We,Wo, R, L) as 
follows: 

• E = 2^-P'u^°'"U{rooi,±} 

• D = U«;gh^ l'5^cc(t(;) \ Wo\ (that is, D contains, for each state in W, the number of its 
successors, but its jumps to roots). 

• Q = (W X {±, T, h}) U {qo}, with go ^ W. Thus every state w of M. induces three states 
(t(;,_L), (w,T), and {w,\-) in Am- Intuitively, when Am is in state {w,J-), it can read 
only _L, in state {w,T), it can read only letters in 2^^*^ Nom^ g^j^^ state {w,\-), it can 
read both letters in 2^^*^^""^ and _L. In this last case, it is left to the environment to 
decide whether the transition to a state of the form {w,\-) is enabled. The three types 
of states are used to ensure that the environment enables all transitions from enabled 
system states, enables at least one transition from each enabled environment state, and 
disables transitions from disabled states. 

• The transition function 6 : Q x x D ^ 2^^ is defined as follows. Let x G T be a node 
of the input tree. 

— if root G V{x) then (let Wq = {wi, . . . , Wm}) 

6{qo,root,m) = {((wi, T), . . . , (tt>„, T))}, 

that is 6{qQ, root,m) contains exactly one m-tuple of all the roots of the forest. In this 
case, all transitions cannot be disabled; 

— if root V{x), let V{x) = w and succ{w) \ Wq = {wi, . . . , Wn) be the set of non-roots 
successors of w, then we have 
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* for It; e We U Ws and g € {h, _L} we have 

S{{w,g),-\-,n) = {((u'i,_L), . . . , (w„,_L))}, 

that is 6{{w, g), -L,n) contains exactly one n-tuple of all non-roots successors of w. 
In this case, all transitions to successors of w are recursively disabled; 

* for w G Ws and g G {T, h} we have 

S{{w,g),L{w),n) = {((wi,T), . . . , (w„,T))}, 

that is, 5{{w, g), L{w),n) contains exactly one n-tuple of all non-roots successors of 
w. In this case all transitions to successors of w are enabled; 

* for w £ We and g G {T, h} with L{w) PI {t"| a G Prog and o G A^om} = (i.e., w 
has no jumps to roots or all of them have been disabled), we have 

H(.w,g),L{w),n) = { {{wi,T), {w2,^), . . . ,{wn,^)), 

{(Wi,h), {W2,T),... ,{Wn,^)), 
{{Wi,h), {W2,^), . . . , iWn,T))}, 

that is, 5{{w, g), L{w),n) contains n different n-tuples of all non-roots successors of 
w. When Am proceeds according to the z-th tuple, the environment can disable all 
transitions to successors of w, except that to Wi; 

* for w € We and g G {T, h} with L{w) fl {t"| a G Prog and a G Nam} ^ (i.e., w 
has at least one jump to roots enabled), we have 

H{w,g),L{w),n) = {((u;i, h), . . . , (u;„, h))}, 

that is S{{w, g), L{w),n) contains one n-tuple of non-roots successors of w, that can 
be successively disabled. 

Notice that 5 is not defined when n is different from the number of non-roots successors 
of w, and when the input does not meet the restriction imposed by the T, h, and _L 
annotations or by the labeling of w. 

The automaton Am has 3 ■ \W\ + 1 states, 2l"^^l l^l + 2 symbols, and the size of the 
transition relation \6\ is bounded by |i?|(|VF| • 2l^l). 

We recall that a node labeled by either {_L} or {root} stands for a node that actually 
does not exist. Thus, we have to take this into account when we interpret formulas of the 
hybrid graded /i-calculus over trees {Tm,V') G exec{M.). In order to achieve this, as in 
[KVWOlj we define a function / that transforms the input formula (/j in a formula of the 
hybrid graded //-calculus (p' = (0, a)f{ip) (where a G Prog is an arbitrary atomic program), 
that restricts path quantification to only paths that never visit a state labeled with {-L}. 
The function / we consider extends that given in [KVWOl] and is inductively defined as 
follows: 

• /(true) = true and /(false) = false; 

• f{p) = p and fi^p) = ^p for all p G AP U Nom; 

• f{x) = X for all X G Var; 

• /((/?i V</52) = /((/?i) V/((/52) and f{ipiAip2) = f (ifi) A f {ip2) for all hybrid graded /i-calculus 
formulas ipi and ip2', 

• f{iix.ip{x)) = fix.f{ip{x)) and f{vx.ip{x)) = vx.f{ip{x)) for all x G Var and hybrid 
graded /t-calculus formulas ip; 
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• f{{n,a)ip) = (n,a)(^_L A f{(p)) for n G M and for all atomic programs a and hybrid 
graded ^-calculus formulas ip; 

• /([n, a]ip) = [n, a](-i_L A/((/9)) for n G IN and for all atomic programs a and hybrid graded 
/^-calculus formulas (p. 

By definition of /, it follows that for each formula ip and {T,V) € exec{A4), {T,V) 
satisfies ip' = (0,a)/((/j) iff the 2"^-'^ '-'^"'^-labeled forest, obtained from {T,V) removing 
the node labeled with {root} and all nodes labeled by {-L}, satisfies (/?. Therefore, we 
solve the module checking problem of M against an hybrid graded /i~calculus formula 92 
by checking (for its negation) that in exec{M.) = C{Am) does not exist any tree {T,V) 
satisfying -k/?' = [0,a]f{^ip) (note that |/(-'V')l = We reduce the latter to check 

the emptiness of a GAPT ^>ix^/(i^) that is defined as the intersection of the NET Am with 
a GAPT A^f(^ip) accepting exactly the 2^^'^^°'^U{root, _L} trees encodings of quasi-forests 
not satisfying /((^). By Lemma O if ip is an hybrid graded /i-calculus formula, then yl^jj-^) 
has 0{\ip\'^) states, index \ip\, and counting bound h. Therefore, by Lemma [H ^_^x^/(>^) 
has 0(|Ty| + \ip\^) states, index \ip\, and counting bound b. By recalling that the emptiness 
problem for a GAPT can be decided in exponential-time (Theorem [1]) , we obtain that the 
module checking problem for hybrid graded //-calculus formulas is solvable in exponential- 
time. To show a tight lower bound we recall that GTL module checking is ExPTiME-hard 
[KVWOl] and every CTL formula can be linearly transformed in a modal /i-calculus formula 
|Jur98] ■ This leads to the module checking problem w.r.t. modal /i-calculus formulas to be 
ExPTlME-hard and thus to the following result. 

Theorem 2. The module checking problem with respect to hybrid graded ^-calculus formulas 
is ExPTiME-comp/eie. 

6. Deciding Hybrid Graded //-calculus PD-module Checking 

In this section, we show that hybrid graded pushdown module checking is decidable and 
solvable in 2Exptime. Since CTL pushdown module checking is 2ExPTiME-hard, we get 
that the addressed problem is 2ExPTiME-complete. For the upper bound, the algorithm 
works as follows. Given an OPD S and the module A4s induced by 5, by combining and 
extending the constructions given in |BMP05j and Section [5l we first build in polynomial- 
time a PD-NBT As accepting each tree that encodes a quasi-forest belonging to exec{Ms)- 
Then, given an hybrid graded /i-calculus formula 99, according to [BLMV06j . we build in 
polynomial-time a GAPT A\^^p (Lemma[2]) accepting all models that do not satisfy 99, with 
the intent of checking that none of these models are in exec{A4s)- Then, accordingly to the 
basic idea of |KVWOl] . we check that Aig \=r ^ by checking whether C{As) n C{Ai^^) is 
empty. Finally, we get the result by using an exponential-time reduction of the latter to the 
emptiness problem for PD-NPT, which from Proposition 14.11 can be solved in Exptime. 
As a key step of the above reduction, we use the exponential-time translation from GAPT 
into NPT showed in Lemma [5j 

Let us start dealing with As- Before building the automaton, there are some technical 
difficulties to overcome. First, notice that As is a PD-NBT and it can only deal with 
trees having labels on nodes. Also, quasi-forests of exec{Ais) may not share the same 
structure, since they are obtained by pruning subtrees from the computation quasi-forest 
(Fa/1_5 ' ^Ms ' ^Ms) of ^S- As in Section [5l we solve this problem by considering 2^^ y^Nomyj 
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{root, ±}-labeled trees encoding of quasi-forests {F, V, E) G exec{A4s), where AP' = APU 
{Pa I Oi G Prog} U {t" | a G Prog and o G Nom}. 

Another technical difficulty to handle with is related to the fact that quasi-forests of 
exec{M.s) (and thus their encodings) may not be full /i-ary, since the nodes of the OPD 
from which Ms is induced may have different degrees. Technically, we need this property 
since the emptiness problem for PD-NPT to which we reduce our problem has been solved 
in the literature only for PD-NPT working on full trees. Similarly as we did for pruned 
nodes, we transform each tree encoding of a quasi-forest of exec{Ms) into a full /i-ary 
tree by adding missing nodes labeled with {-L}. Therefore the proposition _L is used to 
denote both "disabled" states and "completion" states. In this way, all trees encodings of 
quasi-forests of exec{Ms) are all full /i-ary trees, and they differ only in their labeling. 
Let us denote with exec{Ais) the set of all 2'^^'^^°'^ U {root, _L}-labeled full /i-ary trees 
obtained from {F_m^, Vms^ ^Ms) using all the transformations described above. 

In [BMPOSj it has been shown how to build a PD~NBT accepting full /i-ary trees 
embedded in an OPD corresponding to all behaviors of the environment. In particular, the 
PD-NBT constructed there already takes into account the above transformation regarding 
{_L}-labeled nodes. By extending the construction proposed there in the same way the 
construction showed in Section [5] extends the classical construction of Am proposed in 
[KVWOl] . it is not hard to show that the following result holds. 

Lemma 3. Given an OPD S = {Q, T, b, Co, A, pi, P2, Env) with branching degree h, we can 
build a PD-NBT As = (S, F, b, Q', ^q, 70, Q), which accepts exactly exec{^As), such that 
S = 2^^'LJ^°™ U {root, _L}, IQ'I = OdQp • |r|), and \6\ is polynomially bounded by h-\A\. 

Let us now go back to the hybrid graded ^u-calculus formula Using the function 
/ introduced in Section [5] and Lemma [21 we get that given an hybrid graded /i-calculus 
formula ip, we can build in polynomial-time a GAPT Ai^f(^^-j accepting all models of -k/?' = 
[0, a]/(-i(/9) (as done in Section [5]). 

By using the classical Exptime transformation from GAPT to GNPT [KSV02j and 
a simple Exptime transformation from GNPT to NPT, we directly get a 3Exptime 
algorithm for the hybrid graded /x-calculus pushdown module checking. To obtain an 
exponential-time improvement, here we show a not trivial Exptime transformation from 
2GAPT to NPT. The translation we propose uses the notions of strategies, promises and 
annotations, which we now recall. 

Let A = (S, b, Q, 6, qo,T) be a 2GAPT with J" = {Fi, . . . , Fk) and (T, V) be a S-labeled 
tree. Recall that Db = {[b]) U [[b]] U {-1, e} and 5 : (Q x S) ^ B+{Db x Q). For each control 
state q € Q, let index{q) be the minimal i such that g G Fj. A strategy tree for A on (T, V) 
is a 2^ ^^>'^'^ -labeled tree (T, str) such that, defined head{w) = {q : {q,d,q') G w} as the 
set of sources of w, it holds that {i) qo G head{5tr{root{T))) and (ii) for each node x G T 
and state q, the set {{q,q') ■ {q,d,q') G str(x)} satisfies 6{q,V{x)). 

A promise tree for A on (T, V) is a 2*5^ '^-labeled tree (T, pro). We say that pro fulfills 
str for V if the states promised to be visited by pro satisfy the obligations induced by str 
as it runs on V. Formally, pro fulfills str for V if for every node x (z T, the following hold: 
"for every {q,{n),q') G str(x) (resp. {q,[n],q') G str(x)), at least n + 1 (resp deg{x) — n) 
successors x ■ j of x have {q, q') G pro(x ■ j)" . 

An annotation tree for A on (T, str) and (T, pro) is a 2'3^{i'---''^}>^'3-labeled tree (T, ann) 
such that for each x G T and [q, di,qi) G str(x) the following hold: 

• \i di = £, then {q, index {qi) , qi) G ann(x); 
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• if di € {1, . . . , k}, then for all d2 G {1, . . . , A;} and q2 & Q such that {qi, ^2, 92) S ann(x), 
we have (g, min(di, ^2), 92) ^ ar\n{x); 

• if di = —1 and x = y ■ i, then for all ^2,^3 S {1, . . . , fc} and all g2,?3 £ Q satisfing 
(91,^2, 92) £ anri(y) as well as {q2,d3,q3) E str(y) and (<?2>'?3) £ pi'o(a:^)) we have that 
{t,mm{index{qi),d2, index {q3)),q3) G ann(x); 

• if (ii € [[6]] U {[b]), y = X ■ i, and {q,qi) G pro(y), then for all ^2,^3 G {1, . . . , fc} 
and g2i93 G Q such that {qi,d2,q2) G ann(y) and (52,— 1,93) G str(y), it holds that 
{t,mm{index{qi),d2, index {q3)),q3) G ann(x). 

A downward path induced by str, pro, and ann on {T,V) is a sequence {xo,qo,tQ), 
{xi,qi,ti), . . . such that xq = root{T), go is the initial state of A and, for each i > 0, it 
holds that Xi G T, q^ £ Q, and ti = d, (/.j+i) G str{xi) U ann(xj) is such that either (i) 
d G {!,..., A;} and Xj+i = Xj, or (ii) d G ([6]) U [[6]] and there exists c G {1, . . . , (ie(/(xi)} 
such that Xj+i = xi ■ c and (Q'i,(/j+i) G pro(xi+i). In the first case we set index{ti) = d 
and in the second case we set index{ti) = min{j G {1, . . . , /c} | qi+i G Fj}. Moreover, for a 
downward path tt, we set index{Ti) as the minimum index that appears infinitely often in 
TT. Finally, we say that vr is accepting if index{7r) is even. 

The following lemma relates languages accepted by 2GAPT with strategies, promises, 
and annotations. 

Lemma 4 f |BLMV06j ^. Let A he a 2GAPT. A T.-labeled tree {T,V) is accepted by A iff 
there exist a strategy tree (T, str), a promise tree (T, pro) for A on {T,V) such that pro 
fulfills str for V , and an annotation tree (T, ann) for A on (T, V), {T, str) and (T, pro) such 
that every downward path induced by str, pro, and ann on {T,V) is accepting. 

Given an alphabet S for the input tree of a 2GAPT with transition function 6, let 
be the subset containing only the elements of Dj, appearing in 6. Then we denote by S' the 
extended alphabet for the combined trees, i.e., S' = S x 2'3^^6^Q x 2'3>«9 x 20><{i'-^}xQ. 

Lemma 5. Let A be a 2GAPT running on Ti-labeled trees with n states, index k and 
counting bound b that accepts h-ary trees. It is possible to construct in exponential-time an 
NPT A' running on T,' -labeled h-ary trees that accepts a tree iff A accepts its projection on 
S. 

Proof. Let A = (S, 6, Q, go, (5, .F) with T = {Fi, . . . , Fk). By Lemma [H we construct A' as 
the intersection of two NET A', A" , and an NPT A'" . In particular, all these automata have 
size exponential in the size of A. Moreover, since each NET uses as accepting all its states, 
it is easy to intersect in polynomial-time all of them by using a classical automata product. 
These automata are defined as follows. Given a S'-labeled tree T' = {T, (V, str, pro, ann)), 

(1) A' accepts T' iff str is a strategy for A on (T, V) and pro fulfills str for V, 

(2) A" accepts T' iff ann is an annotation for A on {T,V), (T, str) and (T, pro), and 

(3) A'" accepts T' iff every downward path induced by str, pro, and ann on {T,V) is ac- 
cepting. 

The automaton A' = (S', D' , Q' , qQ,5' ,J-') works as follows: on reading a node x labeled 
(cT, T], p, w), then it locally checks whether rj satisfies the definition of strategy for A on (T, V). 
In particular, when A' is in its initial state, we check that rj contains a transition starting 
from the initial state of A. Moreover, the automaton A' sends to each child x ■ i the pairs 
of states that have to be contained in pro(x ■ i), in order to verify that pro fulfills str. To 
obtain this, we set Q' = 2^"^^^ U {q'^}, D' = {!,..., h} and T' = {0, Q'}. To define -5', we 
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first give the following definition. For each node x G T labeled (a, 77, p, w), we set 

S{t]) = {{Si, . . . , Sdegi.)) e {2Q^QY^a(-) such that 

[for each {q, {m),p) e ij there is P C {1, . . . deg{x)} with \P\ = m + 1 
such that for all i G P, {q,p) € Si] and 

[for each {q, [m],p) G rj there isP C {1, . . . deg{x)} with |P| = deg{x) — m 
such that for all i € P, {q,p) € 5,]} 

to be the set of all tuples with size deg{x), each fulfilling all graded modalities in str(a;). 
Notice that \S{r])\ < 2^'^\ Then we have 

S{ri) if Vp G hea.d(T]), {{d,p') | {p,d,p') e 77} satisfies (5(]3, cr) 

and [(g = and go G head{rj)) or (g 7^ gp cind g C p)] 
false otherwise. 



Hence, in A' wc have jQ'j = 2" , |(5'| < 2" (^=+1), and index 2. 

A" = {E' , D" ,Q" ,qQ,6" ,J^") works in a similar way to A'. That is, for each node x, 
it first locally checks whether the constraints of the annotations are verified; then it sends 
to the children of x the strategy and annotation associated with x, in order to successively 
verify whether the promises associated with the children nodes are consistent with the 
annotation of x. Therefore, in A" wc have Q" = 2'3^^'xO x 2Q><'ti-''=}><0, g^' = (0,0), 
J-" = {0, Q"}, D" = {1, . . . , h}, and for a state {rfprev^ ^prev) a-i^d letter (a, r], p, to) we have 



{(7,7], p,uj),deg{x)) 



{{tj, ui),. . . ,{r], Lv)) if the local conditions for the 

annotations are verified 
false otherwise. 



Hence, in A" we have |Q"| < 2"'(l'^l+'=), \S"\<h- 2"^(l'^l+'=), and index 2. 

Finally, to define A'" we start by constructing a 2^Pr B whose size is polynomial in the 
size of A and accepts (T, {V, str, pro, ann)) iff there is a non accepting downward path (w.r.t. 
A) induced by str, pro, and ann on {T, V). The automaton B = (S', , (which 
in particular does not need direction —1) essentially chooses, in each state, the downward 
path to walk on, and uses an integer to store the index of the state. We use a special state 
(j not belonging to Q to indicate that B proceeds in accordance with an annotation instead 
of a strategy. Therefore, = {{Q U {ft}) x {1, . . . , A;} x Q) U {q^}. 

To define the transition function on a node x, let us introduce a function / that for each 
q £ Q, strategy r] G 2^^^b^Q^ and annotation co € 2'^^^^'''''''^^^ gives a formula satisfied 
along downward paths consistent with rj and cu, starting from a node reachable in A with the 
state q. That is, in each node x, the function / either proceeds according to the annotation 
LV or the strategy rj (note that / does not check that the downward path is consistent with 
any promise). Formally, / is defined as follows, where index {p) is the minimum i such that 

f{Q,V,^)= V (^'(S'f^'P)) V \/ y {c,{q,index{p),p)) 

de{i,...,fe} de([6])u[[6]] 



Then, we have 6^ (q^ , {a,r], p,io)) = f{qo,r],uj) and 
S'^{{Q,d,p),{a,T],p,uj)) = 



false if g tt and (g, p) ^ p 

f{p,rj,ijo) otherwise. 
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A downward path vr is non accepting for A if the minimum index that appears infinitely 
often in tt is odd. Therefore, J^^ = {F^ , . . . , F^^-^,Q^) where Ff = and, for ah i G 
{2, . . . , A; + 1}, we have F/^ = {{q, d,p) £ \ d = i - 1}. Thus, \Q^\ = kn{n + 1) + 1, 
\5^\ = k ■ \5\ ■ \Q^\, and the index is /c + 2. Then, since B is alternating, we can easily 
complement it in polynomial-time into a 2APT B that accepts a tree iff all downward paths 
induced by str, pro, and ann on (T, V) are accepting. Finally, following |Var98] we construct 
in exponential-time the desired automaton A'" . □ 

By applying the transformation given by Lemma [5] to the automaton A^^' defined 
above, we obtain in exponential time in the size of (p, an NPT that accepts all the trees 
encoding of quasi-forests that do not satisfy if. From Proposition 14. 2^ then we can build 
a PD-NPT Asx^ip with size polynomial in the size of S and exponential in the size of 
if such that C{Asy,^^p) = C{As) n Hence, from Proposition [1] we obtain that 

hybrid graded /i-calculus pushdown module checking can be solved in Exptime in the size 
of S and in 2Exptime in the size of (p. Finally, from the fact that CTL pushdown module 
checking is known to be 2ExPTiME-hard with respect to the size of ip and ExPTiME-hard 
with respect to the size of S jBMPOSj , we obtain the following theorem. 

Theorem 3. The hybrid graded ^-calculus pushdown module checking problem is 2ExPTIME- 
complete with respect to the size of the formula and Exptime- complete with respect to the 
size of the system. 

7. Fully Enriched ^u-calculus Module Checking 

In this section, we consider a memoryless restriction of the module checking problem and 
investigate it with respect to formulas of the Fully enriched /i-calculus. Given a formula (p, 
a memoryless module checking problem checks whether all trees in exec{Ai), always taking 
the same choice in duplicate environment nodes, satisfy ip. In this section, we show that 
the (memoryless) module checking problem for Fully enriched /x-calculus is undecidable. 

Fully enriched ^-calculus is the extension of hybrid graded /i~calculus with inverse 
programs. Essentially, inverse programs allow us to specify properties about predecessors 
of a state. Given an atomic program a G Prog, we denote its inverse program with a~ and 
the syntax of the fully enriched //-calculus is simply obtained from the one we introduced 
for hybrid graded /i-calculus, by allowing both atomic and inverse programs in the graded 
modalities. Similarly, the semantics of fully enriched /x-calculus is given, identically to the 
one for hybrid graded /i-calculus, with respect to a Kripke structure /C = {W,Wo, R, L) in 
which, to deal with inverse programs, we define, for all a G Prog, R{a~) = {{v, w) (zWxW 
such that {w,v) G R{a)}. 

Let us note that, since the fully enriched /i-calculus does not enjoy the forest model 
property |BP04j . we cannot unwind a Kripke structure in a forest. However, it is always 
possible to unwind it in an equivalent acyclic graph that we call computation graph. In 
order to take into account all the possible behaviors of the environment, we consider all 
the possible subgraphs of the computation graph obtained disabling some transitions from 
environment nodes but one. We denote with graphs{M) the set of this graphs. Given a Fully 
enriched //-calculus formula ip, we have that M \=r (p ]S. K \= (p for all K G graphs{M). 

To show the undecidability of the addressed problem, we need some further definitions. 
An (infinite) grid is a tuple G = {JN'^,h,v) such that h and v are defined as h{{x,y)) = 
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(x + l,y) and v{{x,y)) = {x,y + 1). Given a finite set of types T, we will call tile on T a 
function p : — > T that associates a type from T to each vertex of an infinite grid G, and 
we call tiled infinite grid the tuple {G,T,p). A grid model is an infinite Kripke structure 
K = {W, {wq}, R, L) , on the set of atomic programs Prog = {l~,v}, such that K can be 
mapped on a grid in such a way that wq corresponds to the vertex (0, 0), R{v) corresponds 
to V and R{1~) corresponds to h. We say that a grid model K "corresponds" to a tiled 
infinite grid (G, T, p) if every state of K is labeled with only one atomic proposition (and 
zero or more nominals) and there exists a bijective function p : T — > AP such that, if Wx^y 
is the state of K corresponding with the node (x,y) of G, then p{p{{x,y))) £ L{wx,y)- 

Theorem 4. The module checking problem for fully enriched p-calculus is undecidable. 

Proof. To show the result, we use a reduction from the tiling problem (also known as domino 
problem), known to be undecidable |Ber66j . The tiling problem is defined as follows. 

Let T be a finite set of types, and H,V CT'^ be two relations describing the types that 
cannot be vertically and horizontally adjacent in an infinite grid. The tiling problem is to 
decide whether there exists a tiled infinite grid {G, T, p) such that p preserves the relations 
H and V . We call such a tile function a legal tile for G on T. 

In [BP 04] ■ Bonatti and Peron showed undecidability for the satisfiability problem for 
fully enriched //-calculus by also using a reduction from the tiling problem. Hence, given 
a set of types T and relations H and they build a (alternation free) fully enriched p- 
calculus formula tp such that (p is satisfiable iff the tiling problem has a solution in a tiled 
infinite grid, with a legal tile p on T (with respect to H and V). In particular, the formula 
they build can be only satisfiable on a grid model K corresponding to a tiled infinite grid 
with a legal tile p on T. In the reduction we propose here, we use the formula ip used in 
[BP04j . It remains to define the module. 

Let {Gi, G2, . . .} be the set of all the infinite tiled grids on T (i.e., Gi = {G, T, pi)), we 
build a module M such that graphs{M) contains, for each i > 1, a grid models correspond- 
ing to Gi. Therefore, we can decide the tiling problem by checking whether M \=r ^(p. 
Indeed, if M \=r -^ip, then all grid models corresponding to Gi do not satisfy ip and, there- 
fore, there is no solution for the tiling problem. On the other side, if M then there 
exists a model for tp; since ip can be satisfied only on a grid model corresponding to a tiled 
infinite grid with a legal tile on T with respect to H and V, we have that the tiling problem 
has a solution. 

Formally, let T = {ii, . . . , tm} be the set of types, the module M = {Wg, We, Wq, R, L) 
with respect to atomic programs Prog = {l~,v}, atomic propositions AP = T, and nomi- 
nals Nom = {oi, . . . ,0m}, is defined as follows: 

• Ws = fJ), We = {Xi, . . .,Xm,yi, . . .,ym} and Wo = {Xi, . . .,Xm}; 

• for all i e {1,... m}, L{ti) = {xi,yi} and L{oi) = {xj; 

• = {{xi,Xj)\i,j e {1, . . . ,m}} U {{yi,yj)\i,j €{!,.. . ,m}}; 

• = {{xi,yj)\ij G {l,...,m}}U{{yi,Xj)\i,j € {!,..., m}} 

Notice that we duplicate the set of nodes labeled with tiles since we cannot have pairs 
of nodes in M labeled with more than one atomic program (in our case, with both v and 
l^). Moreover the choice of labeling nodes Xj with nominals is arbitrary. Finally, from the 
fact that the module contains only environment nodes, it immediately follows that, for each 
i, the grid model corresponding to the infinite tiled grid Gi is contained in graphs{M). □ 
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Figure 1: Results on Model Checking Problem. 



8. Notes on Fully Enriched /i-CALCULus Model Checking 

In this section, for the sake of completeness, we investigate the model checking problems 
for Fully enriched /x-calculus and its fragments, for both pushdown and finite-states systems. 

In particular, we first consider the model checking problem for formulas of the fj,- 
calculus enriched with nominal (hybrid fi-calculus) or graded modalities {graded ^-calculus) 
or both, for pushdown systems (PDMC, for short) and finite states systems (FSMC, for 
short), i.e. Kripke structures. In particular, we show that for graded /i-calculus, PDMC 
is solvable in 2Exptime and FSMC is solvable in Exptime. Moreover we show that for 
hybrid //-calculus PDMC is ExPTiME-complete and FSMC is in UP n CO-UP, thus 
matching the known results for (propositional) //-calculus model checking (see |Wal96] for 
PDMC and [WilOl] for FSMC), and that, for hybrid graded //-calculus, PDMC is solvable 
in 2EXPTIME and FSMC is solvable in Exptime. 

By considering also //-calculus enriched (among the others) with inverse programs, 
we also consider PDMC w.r.t. a reduced pushdown system that, in each transition, can 
increase the size of the stack by at most one (single-push system). To this aim, we define a 
single-push system with three stack operations: for A & T, sub(A) changes the top of the 
stack into A, push(A) pushes the symbol A on the top of the stack, and pop() pops the top 
symbol of the stack. Formally, a single-push system 5 is a pushdown system in which the 
transition function is A : Prog — > 2('3xri)x(Qx{««^p««'j.pop}xr)_ -por consistency reasons, we 
assume that if the top of the stack is b then sub(A) = push(A) and pop() has no effect. 

We call the model checking problem for single-push systems single-push model checking 
(SPMC, for short). In this case, we show that for full hybrid //-calculus (//-calculus enriched 
with inverse programs and nominals), SPMC is ExPTiME-complete and FSMC is in UP 
n CO-UP, and that for Fully enriched and full graded //-calculus (//-calculus enriched 
with inverse programs and graded modalities), SPMC is in 2Exptime and FSMC is in 
Exptime. In Figure [8] we report known and new results on model checking problems for 
the Fully enriched /i-calculus and its fragments. 

To prove our results, we simply rule out inverse programs and nominals from the input 
formula. In particular, we first observe that, from a model checking point of view, checking 
a formula with inverse programs on a graph (finite or infinite) is equivalent to check the 
formula in "forward" on the graph enriched with opposite edges. That is, we consider 
inverse programs in the formula as special atomic programs to be checked on the opposite 
edges we have added in the graph. Note that this observation does not apply to PDMC. 
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Indeed, to transform previous configurations to inverse next configurations, we need to limit 
the power of a PDMC to be single push. Thus, we obtain the following result. 

Lemma 6. Let be an enrichment of the fi-calculus with inverse programs. Then a 
SPMC (resp., FSMCJ w.r.t. can he reduced in linear time to SPMC (resp., FSMCj 
w.r.t. X^ without inverse programs. 

Proof. Here we only show the proof for FSMC since the one for SPMC is similar. Let 
fC = {W, Wq, R, L) be a model that uses atomic programs from Prog, and let be a formula 
of X^j. Then, we define a new model IC' and a new formula ip' as follows: JC' = {W, Wq, R' , L) 
uses atomic programs from the set Prog' = ProgU{a s.t. a G Prog} (it doesn't use inverse 
programs) and has the transition relation defined as R'{a) = R{a) and R'{a) = R{a~) for 
all a G Prog. On the other side, cp' is a formula of X^ without inverse programs equal to 
<f except for the fact that a~ is changed into d for all a E Prog. Thus it can be easily seen 
that JC \= (f iS JC' \= ip' and this completes the proof of this lemma. □ 

Furthermore, from the model checking point of view, one can consider each nominal in 
the input formula as a particular atomic proposition. Thus we obtain the following result. 

Lemma 7. Let X^ he the fi-calculus enriched with nominals and possibly with graded modal- 
ities. Then PDMC, SPMC and FSMC w.r.t. X^ can he respectively reduced in linear time 
to PDMC, SPMC and FSMC w.r.t. X^ without nominals. 

Proof. In this case too, we show the proof only for FSMC. Let JC = {W,Wo, R, L) be a 
model that uses atomic propositions from AP and nominals from Nom, and let ip he a. 
formula of X^. Then, we consider the new model JC' = {W,Wq, R, L) that uses atomic 
propositions from the set AP' = AP U Nom (IC' does not use nominals); moreover, let ip' 
be the formula (p interpreted as a formula of X^ without nominals on the set of atomic 
propositions AP'. Then, it is easy to see that JC \= ip iS JC' \= ip' . □ 

From Lemmas [6] and [7] and the fact that for propositional /i-calculus PDMC is Ex- 
PTIME-Complete [Wal96^ and FSMC is in UP fl CO-UP gWilOlj . we directly have that 
hybrid /x-calculus PDMC is ExPTiME-Complete, (full) hybrid /x-calculus SPMC is solv- 
able in ExPTiME and (full) hybrid /u-calculus FSMC is in UP n CO-UP. Now, in [Wal96] 
it has been showed that //-calculus PDMC is ExPTiME-hard. The proof used there can be 
easily adapted to handle single-push systems without incurring in any complexity blowup. 
Thus, we obtain the following result. 

Theorem 5. Hyhrid jjL-calculus PDMC is ^xptime- Complete, (full) hyhrid fi-calculus 
SPMC is EXPTIME-Complete and (full) hybrid ^-calculus FSMC is in UP n CO-UP. 

Finally, from Lemmas [6] and [7] we have that hybrid graded ;U-calculus PDMC can be 
reduced in linear time to graded /i-calculus PDMC, Fully enriched /i-calculus SPMC can 
be reduced in linear time to graded ^-calculus SPMC (note that SPMC is a special case of 
PDMC) and Fully enriched /x-calculus FSMC can be reduced in linear time to graded fi- 
calculus FSMC. Since model checking is a special case of module checking, from Theorems 
[2] and [3] we have the following result. 

Theorem 6. PDMC is solvable in 2Exptime for (hyhrid) graded ^-calculus, SPMC is 
solvable in 2Exptime for Fully enriched ^-calculus and FSMC is solvable in Exptime for 
Fully enriched jjL-calculus. 
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